Assessing Different Levels of Time Retention for Business Interruption Coverage on Cyber Insurance

(1)

GRA 19703

Master Thesis

Thesis Master of Science

Navn: Mats Lambech, Kristoffer Sjur Høglo

Start: 15.01.2020 09.00

Finish: 01.09.2020 12.00

(2)

BI Norwegian Business School

Assessing Different Levels of Time Retention for Business Interruption Coverage on Cyber

Insurance

Program:

Master of Science in Business, Major in Accounting and Business Control

Examination Code and Course Name:

GRA 19703 - Master Thesis

Supervisor:

Morten Lund

Hand-in Date:

29.06.2020

(3)

Acknowledgements

This master thesis is the culmination of our Master of Science program in Accounting and Business Control at BI Norwegian Business School.

We want to express our gratitude to our supervisor Morten Lund, for his guidance, advice, and help towards setting up interviews, without which this thesis would be limited to a far smaller scope.

We would also like to thank our interviewees Eirik Lund, Glennie Ingebrigtsen, and Nanna Unhammer, for their time, engagement, knowledge, and for helping us gain insight into their work and industry. Their cooperation was essential for this thesis.

(4)

Abstract

As a consequence of the digitalization in companies, cyber-related risk has increased substantially. Cyber insurance has, therefore, emerged as a tool to mitigate cyber risk. Cyber risk behaves differently compared to more traditional risks such as business interruption and property damage. These are relatively immobile, whereas cyber risk is fast-paced and has an inherent ability to simultaneously impact multiple entities, as well as having the potential to cause extensive damage in a short period of time, regardless of traditional limitations of risk such as geographical location and being contingent on tangible assets. Elements of traditional insurance policies, such as waiting periods and risk estimation, may thus be inadequately adapted to cyber risk.

This thesis, therefore, explores the effect time retention, i.e., waiting period, have on the expected utility of cyber insurance during a business interruption caused by a cyber incident. Through in-depth interviews with industry professionals, and analyzes of cyber policies, questionnaires, and underwriter guidelines, we developed a model which derived the expected utility of cyber-related business interruption coverage. The model was used to analyze and evaluate the current conditions of cyber-related business interruption.

The findings from the model illustrate that cyber-related business interruption coverage and current time retention levels for cyber insurance is neither well- adjusted nor suitable adapted to the present cyber risk exposure.

(5)

Table of Content

1 Introduction... 1

1.1 Background for the Thesis ... 1

1.2 Purpose of the Thesis ... 3

1.3 Cyber Insurance Market Today. ... 4

2 Literature Review ... 5

2.1 Cyber Insurance Market ... 5

2.1.1 Incentives and Barriers of the Cyber Insurance Market in Europe ... 5

2.1.2 The cyber Insurance Market in Sweden ... 6

2.2 Policies ... 7

2.2.1 Optimal Insurance Policies ... 7

2.2.2 Premium Calculation and Insurance Pricing ... 7

2.2.3 Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk? ... 7

2.3 Cyber Insurance ... 8

2.3.1 What do we Know About Cyber Risk and Cyber Risk Insurance? ... 8

2.3.2 Insurability of Cyber Risk: An Empirical Analysis ... 9

2.3.3 Insurance when the Internet goes Down ... 10

2.3.4 Effect of Cyber Insurance on Social Welfare ... 10

2.4 Cyber Data and Market Challenges ... 12

2.4.1 The Cybersecurity Imperative Pulse Report ... 12

2.4.2 Enhancing the Role of Insurance in Cyber Risk Management ... 13

2.5 Summary of Literature Review ... 15

3 Theoretical Framework... 15

3.1 Definitions ... 15

3.1.1 The Actors ... 16

3.1.2 Risk Management ... 16

3.1.3 Insurance Contract ... 17

3.1.4 Retention ... 17

3.1.5 Cyber Risk ... 18

3.2 Properties of Cyber Insurance ... 19

3.2.1 Impact ... 19

3.2.2 Probability... 19

3.2.3 Coverage ... 20

3.2.4 Information Asymmetry ... 20

3.3 Insurance Market ... 20

3.3.1 Insurance Industry ... 23

(6)

3.4 Business Interruption ... 25

3.4.1 Waiting Period ... 25

3.5 Utility Theory ... 26

4 Methodology ... 28

4.1 Methodological Approach ... 28

4.2 Methods for Data Collection ... 29

4.2.1 Interviews ... 29

4.2.2 Model ... 30

4.3 Methods of Analysis ... 31

4.3.1 Interviews ... 31

4.3.2 Analysis of the Themes ... 34

4.3.3 The Development of the Model ... 37

4.4 Justification of Methodical Choices ... 37

5 Model ... 38

5.1 Summary of the Model and the Models' Output... 38

5.2 Expected Utility Explained by Case ... 39

5.3 Expected Utility Function of Business Interruption Insurance ... 40

5.3.1 Good State and Bad State ... 40

5.3.2 Deductible ... 40

5.3.3 Expected Utility ... 40

5.3.4 Function Output: The Model ... 41

5.4 Companies Included in the Model ... 42

5.5 Hazard Classes & Industry Factors... 43

5.5.1 Generalizing Hazard Classes ... 43

5.5.2 Chubb and The Hartford - Industries and Related Hazard Classes ... 43

5.6 Estimation of Premium ... 44

5.6.1 Estimation of Premium for Business Interruption Coverage on Cyber Insurance ... 44

5.6.2 Differences in Premium between Carriers ... 44

5.6.3 Calculation of Premium - Omitting Values ... 45

5.7 Loss Function... 45

5.7.1 Hazard Class-Specific Loss Factor ... 45

5.8 Assumptions ... 46

5.8.1 Entity Parameters ... 46

5.8.2 Linear Interpolation ... 46

5.8.3 Hazard Class ... 47

5.9 Limitations ... 47

5.9.1 Missing Data ... 47

(7)

5.10 Approximation ... 48

5.10.1 Average ... 48

5.11 Simplification ... 48

5.11.1 Simple Function ... 48

5.11.2 Linear Loss-Function ... 48

5.12 Trade-Offs... 49

5.13 Our Comments ... 49

5.14 The Chosen Parameters ... 49

5.14.1 Probability... 49

5.14.2 Revenue ... 50

5.14.3 Length of Attack ... 50

5.14.4 Waiting Period ... 50

Coverage ... 51

5.15 Hypotheses ... 51

6 Results ... 52

6.1 Results of Hypotheses... 53

6.1.1 Results for 10% Probability ... 53

6.1.4 Summary of the Results of the Hypothesis Testing... 57

7 Discussion ... 57

7.1 Higher Levels of Probability ... 58

7.2 Lower Level of Probability ... 61

7.2.1 Revenues Smaller or Equal to $100 000 000... 61

7.2.2 Revenue Greater than $250 000 000 ... 62

7.3 Summary of Discussion ... 67

8 Final Conclusion ... 68

9 References ... 71

9.1 References in General ... 71

9.2 References of Policies Accessed from SERFF: ... 79

10 Appendices... 82

10.1 Transcription and Analysis of Interviews ... 82

Appendix A1 - Transcription and Analysis of Interview with Eirik Lund 13.01.20 ... 82

Appendix A2 – Transcription and Analysis of Interview with Nanna Unhammer 04.02.20 ... 98

(8)

Appendix A3 - Transcription and Analysis of Interview with Glennie

Ingebrigtsen 13.02.20 ... 122

10.2 Figures and Illustrations ... 144

Appendix B1 - Figure 11 ... 144

10.3 Tables ... 145

Appendix C1 - Table 2 ... 145

Appendix C1 - Table 3 ... 145

(9)

1 Introduction

1.1 Background for the Thesis

The complex and comprehensive nature of the modern business world triggers businesses’ need to limit their scope of risks. For businesses, the need to mitigate the effect of business interruption due to cyber incidents are increasing. Thus, there is a need to observe how the prevailing conditions of business interruption coverage, fit in the modern world of business and cyber risk.

Technology is everywhere around us. We use our smartphones to check the weather and update us on the news. Cars can operate autonomously, and there are whole industrial complexes that are dependent on the Internet of Things (IoT), a method of communication between devices without humans intervening. This dependency on technology exposes companies to cyber risk, which involves the possibility of significant interruptions due to illicit actions, causing extensive implications for companies. As illustrated by McAfee and Center for Strategic and International Studies, the consequences can be colossal; having estimated the global cost of cybercrime to be as much as $600 billion in 2017 (CSIS & McAfee, 2018).

The increased interest in efforts to mitigate the impact of cyber incidents can be explained by cyber risk becoming increasingly relevant due to several cyber incidents across the globe. Cyber risk achieved heightened notoriety as a result of cyber attacks such as the NotPetya cyber attack in 2017 (Perlroth, Scott & Frenkel, 2017), the hack of Equifax, and the ransomware attack on Hydro in 2018 (Hydro, 2019). While also receiving public awareness, the attacks had a devastating economic effect on the affected companies. Among several companies that have experienced the impact of comprehensive attacks, Maersk, a shipping and logistic giant suffered losses between $250 million and $300 million from a cyber attack in 2017 (A.P.Møller - Mærsk, 2017, p. 54). Capital One, a financial corporation, had losses of between $100-150 million in 2019 due to a single cyber incident (Trefis Team, 2019). These incidents illustrate how comprehensive and damaging some of these attacks can be. The considerable worldwide technological advances are increasing companies' exposure to cyber risk. The question then becomes not who

(10)

is exposed to cyber risk, but how to effectively hedge this risk; one of these hedges may be what is known as cyber insurance.

As cyber risk has grown, the consensus has shifted from cyber risk being a concern only related to cyber security, but now also a concern for the business domain (Toregas & Zahn, 2014, p. 5). Cyber risk being a "business-problem" indicates that cyber security is no longer the only viable solution, but that business-related solutions such as insurance also can be used to mitigate some of the problems related to cyber risk.

The primary purpose of cyber insurance is to protect customers against uncertainty and loss, hence maximizing their profits through mitigation of their cyber risk (Kuru

& Bayraktar, 2017, p. 3). Accenture Security, in collaboration with Ponemon Institute, identified that the average cost of cyber crime to "large-sized organizations" was $13.0 Million in 2018 (Accenture Security & Ponemon Institute, 2019, p. 11). The astounding costs of cyber crime and accelerating exposure due to technological progress have facilitated for the development of cyber insurance tools. The demand for cyber insurance is flourishing, as indicated by the NAICs report, which states an increase of 14.54% in the total U.S cyber insurance market from 2017 to 2018 (NAIC, 2019). While the demand is flourishing, the obstacle is estimating whether cyber insurance is economically sustainable to provide and to purchase.

Like any other insurance product, cyber insurance has its advantages and disadvantages. One of the current shortcomings of cyber insurance is the lack of empirical data and accurate estimation tools, which impedes the development of cyber insurance products. Lack of data, hereunder information on occurrences, and the comprehensiveness of the incidents reinforce the difficulty of estimating the relation between coverage vs. premium (Biener, Eling & Wirfs, 2015). This shows that there is a substantial need for applicable economic hedges against cyber attacks.

Therefore, it is important to research the potential impact and further implications of cyber insurance.

(11)

1.2 Purpose of the Thesis

Cyber risk can affect a company in several different domains; it being a ransomware attack, loss of intellectual property, or an incident that results in a business interruption and financial loss. Thus, risks may impact individual entities asymmetrical and be unique in duration and severity dependent on the circumstances of the risk and attributes of the entity. As a result, there is not a "one- size-fits-all". The proceeding conclusion is that entities may have a need for different design of policy when exposed to identical cyber risks. Therefore, the thesis aims to explore whether there is a positive return when given a choice of retention level in the form of an adjustable waiting period. This involves whether there exists an optimal level of time retention, given a probability and length of a cyber incident.

Toregas and Zahn (2014, p.5) state that the e-commerce market is worth $7 trillion, making it a lucrative target for cyber attacks. It was estimated potential losses of upwards to $3.4 million per hour during "cyber Monday" in 2013. Such losses can be detrimental to e-commerce businesses. Toregas and Zahn (2014, p.4) further state that the damage experienced by companies on average is more than $9 million.

Which, in turn, promotes the necessity of a feasible economic hedge such as cyber- related business interruption coverage.

The demand for cyber-related business interruption coverage is soaring. Advisen and PartnerRe performed a survey in 2019 of insurance carriers and brokers as well as their customers, where they were given a choice of their top three most requested cyber coverage, concluding that business interruption was the top three choice of 61% of the respondents (PartnerRe & Advisen, 2019, p. 4). The complicated calculation of business interruption and the demand sides vague understanding of how the industry views the retention rates, these factors, combined with the poor fit of the waiting period to modern cyber risk, indicate that there is a significant potential for future research and exploration (Schumann, 2013; Cohen, n.d;

Deloitte, 2016).

We want to observe and determine whether the current cyber insurance environment of business interruption coverage is suited for the comprehensive

(12)

nature of cyber risk. This is due to the unique properties of cyber incidents, such as the lack of geographical limitations, the scope of impact, and network effects enhancing the impact. This leads to the question of whether or not the current parameters for cyber-related business interruption coverage, are suited for companies exposed to cyber risk.

To estimate and analyze the effect the retention rates have on the expected utility of an entity, we will develop a model based on previous research on utility theory and insurance. Kuru and Bayraktar (2017) illustrated a simple function for expected utility of insurance. Romanosky, Ablon, Kuehn, and Jones (2019) looked at how cyber premiums are priced. We will combine and adjust the results and approach of these two papers to theoretically determine if an entity should insure; which retention rate is preferable and achieves the highest level of utility for an entity given a probability, industry, and revenue.

1.3 Cyber Insurance Market Today.

Today's cyber insurance market can be characterized as an emerging market where large companies initially have shown greater interest than small and medium-sized enterprises (SMEs) (N. Unhammer, personal communication, February 4, 2020;

Franke, 2017). Arguably, large companies have adopted cyber insurance at a higher pace than SMEs, as large companies to a larger extent than SMEs have more professionalized risk assessment procedures and routines. Large companies also in, many cases, have a global organization, which is more dependent on digital solutions such as their internal cyber networks and IT-systems. The cyber risk of large companies is thus more severe when it comes to business interruptions, which can leave the better part of an organization paralyzed.

It is also arguable that it could be less complicated for an SME to continue operating their business manually or restore their digital solution in a state of emergency, compared to the more global and complex structure often observed in larger companies.

This, however, does not mean that SMEs are exposed to less risk than large companies. Large companies have their own IT departments, IT- procedures and training, while small companies usually have less developed routines and digital systems, and no IT departments. A cyber attack on an SME may, therefore, pose as

(13)

a more severe risk compared to that of a large company. The lack of IT safety routines and inhouse IT competence in SMEs may also make the long term effect of cyber issues more time-consuming to resolve. Therefore, it can be argued that it is more critical for an SME to have cyber insurance compared to large companies.

The losses inflicted by a cyber attack on a large company will naturally be more significant in value compared to an attack on an SME, but the SMEs losses are according to ESI Thoughtlab (2019) larger in percentage of revenue relative to the losses in large and very large companies (See Table 1).

2 Literature Review

2.1 Cyber Insurance Market

2.1.1 Incentives and Barriers of the Cyber Insurance Market in Europe

In June 2012, the European Network and Information Security Agency (ENISA) published a paper on the incentives and barriers of the cyber insurance market in Europe. They found that the drivers for the demand side of the cyber insurance market are rooted in companies' need for privacy, mitigation of post-attack costs, and reputational risk. ENISA also found indications that the cyber insurance market in Europe is small compared to the US market, justified by just a handful of carriers offering cyber insurance in Europe, compared to 30-40 in the US. Further on, ENISA point to the lack of data, the perception that existing insurance products are sufficient to cover the cyber risk, uncertainty in predicting future losses, and the lack of adequate reinsurance, as some of the main obstacles in the academic literature regarding cyber insurance. In addition, to point out obstacles in the cyber insurance market, ENISA also points out several incentives, such as lowering premiums through demands of higher IT security, given a causal link between the two, processes to set IT security standards for underwriting, certification of IT security products and services, etc. Furthermore, ENISA explains that the main incentives can be linked firstly to the expectations of better ways to determine the most effective risk-reducing measures. In turn, this could stimulate a range of secondary markets due to increased supply, as the cyber insurance customers would become "a better" risk for the insurance carriers.

(14)

Lastly, ENISA proposes four recommendations for future research and investigation.

• Firstly, they propose a collection of empirical evidence to increase the quantitative empirical work on prices, volume, or losses.

• Secondly, they suggest looking into if changes to European consumer rights legislation could affect companies' willingness to improve their risk management practices, rather than using cyber insurance to manage reputational damage.

• Thirdly, they recommend looking into if frameworks for the measurement of information value would lead risk managers to better value or price information assets, and in turn, be able to better consider insurance as a tool to support the company's activities.

• Lastly, they recommend looking into whether it would be possible to implement a public policy which would intervene by setting itself as an insurer of last resort (ENISA, Robinson & Rand Europe, 2012).

2.1.2 The cyber Insurance Market in Sweden

Ulrik Franke, a senior researcher at RISE (Research Institutes of Sweden), published a characterization of the Swedish cyber insurance market in 2017 by using semi-structured interviews with insurance intermediaries, insurance- and reinsurance companies. According to Franke, this essentially amounted to all companies selling cyber insurance in the Swedish market. He found that the coverages offered included discrepancies in the underwriting processes used. He also found that the typical annual premium for cyber insurance is in the range of 0.5-1% of the indemnity limit (Franke, 2017, p.130). Franke found that the insurance companies impose requirements for information- and IT security upon their customers and do not insure those who are immature or lack the required security. Thus, Franke argues that cyber insurance is not only a medium for risk transfer but also includes elements of avoidance and mitigation. He also found that his sources all agreed that among the Nordic countries Sweden and Denmark are the more mature markets, with Finland somewhere in the middle and Norway to some extent trailing behind (Franke, 2017, p. 136). In addition, the Swedish cyber customers are, for the most part, large companies.

(15)

2.2 Policies

2.2.1 Optimal Insurance Policies

Multiple articles are defining optimal insurance policies and coverage. George G.

Szpiro, stated in 1985, that one of the more important findings is "that coverage decreases when risk premium increases." (Szpiro, 1985, p.1). George Szpiro's paper enhance this by using a mathematical approach to take a more explicit look at optimal choices of coverage based on different assumptions. The paper is concluding that different assumptions will influence the choice of coverage. Szpiro references Artur Raviv's research from 1979, which concludes "that the pareto optimal insurance contract involves a deductible and coinsurance of losses above the deductible."(Szpiro, 1985, p.1). Raviv's article also states that the coinsurance is a byproduct of risk or cost-sharing between the insurer and the insured (Raviv, 1979). These two articles represent only a small part of the literature which has been researched on the subject and the formulation of insurance policies and relevant aspects.

2.2.2 Premium Calculation and Insurance Pricing

An essential part of insurance theory is the calculation of insurance premiums.

Roger J. A. Laeven and Marc J. Goovaerts published a paper in 2007 explaining classical theories and their generalizations. As well as summarizing the main issues and results, and outlining current advancements on the subject, Laeven and Goovaerts define the price of insurance, also known as a premium, as "the monetary value for which two parties agree to exchange risk and "certainty""(Laeven &

Goovaerts, 2008, p.2). They also list properties that the principal of premiums may or may not satisfy.

2.2.3 Content Analysis of Cyber Insurance Policies: How do Carriers Price Cyber Risk?

There exist much theoretical literature about cyber insurance. Still, there is little practical and qualitative research available about the content of the cyber insurance policies, and how the carriers price the cyber policies premiums. Sasha Romanosky, Lillian Ablon, Andreas Kuehn and Therese Jones (2019) therefore conducted a

(16)

systematic qualitative analysis of cyber insurance policies filed with the state insurance commissions to answer the following three questions;

i) What losses are covered by cyber insurance policies, and which are excluded?

ii) What questions do carriers pose to applicants in order to assess risk?

iii) How are cyber insurance premiums determined - what factors about the firm and its cybersecurity practices are used to compute the premiums?

This paper is the first systematic qualitative analysis of the underwriting process for cyber insurance. At the same time, the authors uncover how insurance companies understand and price cyber risk. The sample size is determined by thematic saturation; there was collected 235 filing dockets filed in New York, Pennsylvania, and California between 2007 to 2017. These dockets consisted of a zipped file that usual contained dozens of individual documents, which could include, among other things, coverage and exclusion forms, security questionnaires, and rate schedules.

There is very little information available for the public on the content; thus, there is a lack of transparency in the underwriting process of cyber insurance policies (Romanosky, Ablon, Kuehn & Jones, 2019).

2.3 Cyber Insurance

2.3.1 What do we Know About Cyber Risk and Cyber Risk Insurance?

In 2016 Martin Eling and Werner Schnell summarized research on what was known about cyber risk and cyber risk insurance. They aimed to establish a database on studies, articles, and working papers on cyber- risk and insurance, with a focus on the business and economics literature in the field of risk and insurance. They use a standardized search and identification process to create a database of 209 papers, where the primary research results are extracted. Through this database, they conclude that there does not exist any established model for cyber risk. They further argue that this may be due to the lack of data on the matter, most likely because entities who have been affected often do not disclose incidences. This lack of data leads to challenges in risk management and the insurability of cyber risk (Eling &

Schnell, 2016, p.474). They outline three significant insurability challenges of cyber risk; First, the independence and predictability of losses are not given, leading to risk pools not always working correctly. Secondly, challenge with information

(17)

asymmetry, in the sense that companies which already have been attacked, are more likely to buy cyber insurance, hence leading to adverse selection. Lastly, they point to the challenge of moral hazard through changed behavior after buying insurance, for example, in the form of less incentive to invest in self-protection measures.

When it comes to future research, Eling and Schnell state that the existing research in 2016 was mainly focused on the supply side of insurance, while there were left much room for research on the demand side of cyber insurance. As for the future of cyber insurance, the authors argue that the market is still in its early stages, but there have been several new entries into the market. Therefore, one can expect risk pools to grow and more data to become available. In turn, this will increase insurance capacity and drive prices down. Lastly, they argue that it may be important to establish standards on definitions, coverage, and underwriting risk assessment, to reduce some of the current problems in the cyber insurance industry.

2.3.2 Insurability of Cyber Risk: An Empirical Analysis

Christian Biener, Martin Eling, and Jan Hendrik Wirfs researched the insurability of cyber risk using an empirical analysis approach, and systematically reviewing these results in the light of the insurance criteria set by Berliner in 1982. They are supporting the understanding that there are problems with the insurability of cyber risk and the creation of a sustainable cyber insurance market, due to "highly interrelated losses, lack of data and severe information asymmetries" (Biener et al., 2015, p. 131). They especially point to the lack of data and the need for more elaborate research on cyber insurance, to be able to develop necessary models and create sustainable cyber insurance policies. The empirical analysis in light of the Berliner insurability framework finds that the leading difficulties are the randomness of loss occurrence, information asymmetry, and the cover limits (Biener et al., 2014, p. 148). Taking into account the result of the analysis, they suggest the establishment of "minimum standards on coverage limits and pre- coverage risk assessment as well as clear-cut definitions of cyber risk" (Biener et al., 2015, p. 149). This can be viewed as a proposed solution to eliminate some of the problems related to the insurability of cyber risk.

(18)

2.3.3 Insurance when the Internet goes Down

Gerking and Smith addressed the problem caused by traditional length on waiting periods in cyber insurance policies in their article from 2017. They looked at the most significant DDoS attack to have ever hit a US company. The attack consisted of several separate attacks, which was fully resolved within 11 hours. Therefore, they argue that a traditional waiting period of 12-hours (or more) is not adapted to the cyber risk currently faced by companies.

They justify this through two arguments;

• Firstly, they argue that 12 hours is a substantial time not being able to conduct business over the Internet, implying that the waiting period is too long for the kind of risk being insured.

• Secondly, they argue that today's policies and their carriers would argue that since there were several separate attacks, they should also be viewed and treated as separate claims.

None of the individual attacks come near the 12 hour waiting period. Gerking and Smith also stated that since the attack affected a provider of services (third-party provider), few or non of its customers were affected for the full duration of the attack. They concluded that the waiting period and the limited business interruption coverage of cyber insurance policies are two significant limitations to cyber insurance policies.

2.3.4 Effect of Cyber Insurance on Social Welfare

A substantial amount of previous research on cyber insurance has focused on the definition of cybercrime and its effect on the market. Through this paper, Kuru &

Bayraktar (2017) aims to analyze the relationship between cyber insurance and social welfare, and at the same time, compare it among three countries; USA, UK, and Turkey. The paper answers two cyber insurance questions: "What kind of contribution does cyber insurance make to social welfare?", and secondly "what kind of problems do insurers and insured have to face?". To do this, the authors use the model from Kesan, Majuca, and Yurcik’ (2006) paper, to measure the welfare gains and losses of cyber insurance at different probabilities and risk levels. Due to the lack of available data, the model in this paper views countries as firms and measures changes in GDP for different risk and probability levels. By doing so, the

(19)

paper can illustrate the utility gained or lost by purchasing cyber insurance, which in turn is dependent on whether or not an attack happens.

The paper also looks at the optimal premium for cyber insurance, here the paper uses models developed by Cochrane (1997) and Kesan et al. (2006) to calculate the maximum amount insured would be willing to pay at different risk levels and attack probabilities. This was done by identifying the effect of welfare, which makes it possible to state the optimal trade-off between expected gain and level of risk. To understand the full effect of cyber insurance, the authors also measure the welfare loss that can occur due to adverse selection.

In insurance, there are two types of insured; high-risk and low-risk insured, which can differ by their probability of risk and attack. In an insurance market with adverse selection, the insurers are not able to distinguish between the low- and high- risk insured. In that case, the insurer will offer full insurance to the high-risk customers but cannot offer full insurance to the low-risk customers. This is because the high-risk customers under the adverse selection problem will have an incentive to mimic the low-risk customers and purchase the low-risk insurance. Thus, low- risk insurance will be more expensive than it should be, leaving the low-risk customers without insurance. This leads to a welfare loss for the low-risk customers, that would not be present without adverse selection. The authors calculate this loss as the difference between having an ideal cyber insurance policy and a condition somewhere between having no insurance and having a cyber insurance policy.

Lastly, the paper concludes that cyber insurance would have a positive impact on social welfare by making the Internet safer for all users. The result of the analysis shows that the problems of adverse selection can be eliminated with an accurate risk assessment, leading to appropriate premium levels for the insured (Kuru &

Bayraktar, 2017).

(20)

2.4 Cyber Data and Market Challenges

2.4.1 The Cybersecurity Imperative Pulse Report

ESI Thoughtlab is an innovative thought leadership firm that generates insight through rigorous research and economic analysis (ESI Thoughtlab, 2020). ESI conducted an annual survey on the topic of cyber security in 2019. They gathered information from 467 companies in 17 countries with a distribution of roughly 20%

mid-sized- and 80% large-sized companies within several different industries. In their 2019 survey, they found that companies see the Internet of Things (IoT) as the most significant vulnerability to their IT infrastructure. ESI also states that the rapid innovation within IT development, such as IoT and cloud technology increases corporate cyber risks if safeguards or precautions are not built into the systems upfront.

Older technologies such as email servers, laptops, out of date software, weak authentication, and user errors also pose a substantial risk for companies.

Further, ESI argues that companies are becoming better at identifying vulnerabilities and that they allocated around a quarter of their cybersecurity budget to risk identification in 2019. ESI also states that cyber vulnerabilities vary depending on the industry. They found that industries that have adopted the IoT have started to move away from sourcing technology based on price, and towards sourcing based on security. This shift in sourcing is a result of the realization of the risk of the IoT after several high-profile attacks through IoT devices.

When ESI compare their 2018 survey with the survey from 2019, they see that companies report higher losses from cyber attacks. However, these losses are in line with the increase of the number and size of cyberattacks across the different industries. They also state that the increase in losses reflect better corporate systems for detecting attacks and measure costs. As a result of this ESI sees an increase in companies estimates of cyber attack losses.

The survey found the following average difference in cyber losses between company sizes:

(21)

Average revenue Average loss Loss as % of revenue

Mid-size $600 million $1,556,250 0.259%

Large $4.4 billion $3,309,375 0.076%

Very large $26 billion $10,773,423 0.042%

Average $8.75 billion $4,738,115 0.114%

Table 1 (ESI Thoughtlab, 2019, p.9).

2.4.2 Enhancing the Role of Insurance in Cyber Risk Management

The Organisation for Economic Co-operation and Development (OECD) (2017) provides an overview of the main challenges to the development of the cyber insurance market in terms of both insurers' willingness to provide coverage and the companies' demand for insurance coverage. To understand the challenges of the insurers OECD point to three criteria which is generally needed to ensure that the insurability of risk is economically viable;

• The risk must be quantifiable.

• A sufficiently large community to share risk must exist.

• Risk must occur randomly.

The extent to which the character of a given risk meets these criteria (among other factors) will impact whether insurance companies can collect the premiums necessary to cover the potential total losses of a community of insured. One can thus use these criteria to analyze the current cyber insurance market to find factors that may prevent the development of the market. Through an OECD questionnaire on cyber risk insurance, OECD found that of 36 insurance sector respondents, about two-thirds identified the ability to quantify cyber exposure as a concern. They argue that this is mainly due to the lack of historical data, the changing nature of cyber risk and lack of access to corporate security information, which is needed for underwriting individual risks.

Further, OECD states that the accumulation of risk is by some reports argued to be the primary reason that insurers limit the coverage for cyber insurance. Their own questionnaire found that respondents identified the accumulation of risk as one of the most important drivers of cyber risk. They point to the possibility of a catastrophic event, such as the exploitation of a weakness in a commonly used software or system. In such an event, losses would be correlated across insured and

(22)

lead to accumulation of risk, which the insurance market may not have the capacity to handle, thus leading to numerous exits from the market.

On the demand side of cyber insurance, OECD point to several factors that may reduce the demand and willingness to pay for cyber coverage such as companies not having awareness regarding the potential losses from cyber risk. Several recent studies carried out in Europe, show that the level of awareness of cyber risk and the senior management's attention to these risks have increased. However, the studies show that there seems to be a gap between the increased awareness of the risk and translating this risk into estimates of potential losses, which would normally be the starting point of the insurance acquiring process.

Another critical factor is that companies misunderstand or are not aware of the available level of coverage for cyber risk. This applies to both coverages from standalone cyber policies, but also from coverages provided by more traditional policies. This leads to companies not being able to determine what coverage gaps they currently have, and thus leading to low cyber insurance take-up in the market.

Figure 1 is an illustration off the potential overlap of coverage between standalone cyber policies and traditional policies;

Figure 1. Source OECD on JLT Re (2017)

(23)

The last factor to which OECD gives attention, is the mismatch between the offered coverage and what the companies are seeking. A global survey of companies found that 36% of respondents stated that inadequate coverage relative to exposure was a significant driver to not acquire cyber insurance. Another UK survey found that 77% of companies meant that cyber insurance only partially met their needs for coverage. These studies did not identify why the companies' needs were not meet by the insurance, but reasons such as limited coverage for reputational damages and intellectual property theft can be likely reasons.

2.5 Summary of Literature Review

In general, the existence and hence the research of cyber insurance is relatively new.

Still, a fair amount of research on the topic has been carried out, with the main focus being on theoretical research and models rather than on empirical research. The available literature, therefore, in many cases, lacks definitions and standards based on empirical research and practical examples. However, it often encourages future research to do so. The currently available research is provided by both organizations and researchers. As the cyber insurance market and amount of relevant examples of cyber attacks will grow over time, the availability of data and information will increase. In turn, the available data will be extensive enough to conduct more in- depth detailed analyzes. It can, therefore, in the future, be expected that the current theoretical research will be accompanied by an increasing number of papers based on empirical research.

3 Theoretical Framework

3.1 Definitions

Marotta, Martinelli, Nanni, Orland & Yautsiukhin (2017) provided structure for definitions related to insurance. The structure is meant to provide an understandable context and basis for insurance and cyber insurance. We specify definitions for what is defined as the actors, risk management, insurance policies, retention, cyber risk, and relevant aspects of cyber insurance.

(24)

3.1.1 The Actors

The principal actors in insurance are the insured and insurer. The insured is the actor who wishes to transfer risk and the insurer is the actor who assumes the risk for a given set of conditions. Insurance companies, also referenced to as insurance carriers assume risk in exchange for compensation. There are several other actors in the insurance industry, such as brokers, agents, and reinsurers. They provide different functions to support and enable insurance. In this thesis, we will refer to an insured party as an “insured entity” and an insurance company as an “insurance carrier”.

3.1.2 Risk Management

Risk can be defined as exposure to adverse situations (Gupta, 2008, p. 3). The exposure to adverse situations indicates that the entity is exposed to a degree of uncertainty; the uncertainty is based on the assumption that a given scenario is either favorable or unfavorable. The occurrence of risk is defined as an incident.

Risk is dependent on two aspects:

1. Threat, which states the cause of the risk such as an explosion or defective products.

2. Vulnerability, which is a weakness that can result in an incident, such as poor maintenance (Marotta et al., 2017, p. 39).

As a consequence of an incident, there could be a loss of wealth or other assets; this is defined as an impact. The impact can be both tangible such as damage on machinery and intangible such as loss of reputation and intellectual property (Marotta et al., 2017, p. 39).

We can hence conclude that risk exists if there are a cause, possibility, and consequence; in other words, there is a threat, vulnerability, and impact. As such, risk can be illustrated with: Risk = Probability x Impact (Marotta et al., 2017, p. 40)

"Risk management is an integrated process of delineating specific areas of risk, developing a comprehensive plan, integrating the plan, and conducting an ongoing evaluation."(Gupta, 2008, p.9). Risk management can, therefore, be broken down into three components, risk analysis to identify and evaluate the different risks. Risk control to avoid, eliminate, mitigate and limit severity as well as risk financing to

(25)

transfer or reduce risk. Thus, risk management can be concentrated to the notion that it is meant to either reduce probability or impact, which decreases the risk as illustrated in the above quantitative function.

Insurance is a contractual transfer of risk, a method of risk financing. When an insurance carrier agrees upon an insurance contract with an insured, the carrier agrees to indemnify their losses if an incident occurs. Thus, for a set of terms and conditions, an insurance carrier agrees to share some of the risk. In return, it charges a given price for assuming the risk transferred, referred to as premium (Gupta, 2008, p.12).

3.1.3 Insurance Contract

Insurance policies are a contractual agreement between an insurer and insured, facilitating for a transfer of risk. Insurance policies include Terms and Conditions which both an insured and insurer shall adhere to. The policies also include premiums, exclusions, coverage, and other provisions specific to some set of insurance agreements. Coverage is the amount of risk and liability that will be transferred to the insurer. Exclusions provide exclusions to the coverage.

For example, may an insurance contract for the destruction of property provide cover for a factory fire but exclude damage caused by a flood due to an exclusion in the policy of destruction by extreme weather (Marotta et al., 2017, p. 40).

Insurance coverage consists of two umbrella-terms for coverage, First- and third- party loss. The first-party loss consists of losses that are attributed to the insured’

own losses, while third-party loss is the loss inflicted upon another entity. Property damage and business interruption are often what is classified as first-party loss.

While third-party loss covers damage inflicted upon another entity such as liability claims (N. Unhammer, personal communication, February 4, 2020).

3.1.4 Retention

Retention moderate the insurers risks by placing a financial responsibility on the insured, which may limit risky behaviors, such as moral hazard. Moral hazard is defined as the risk of misusing services or goods on the assumption that the insured is detached from the risk after entering into an insurance agreement with an insurer (Wolferen, Inbar & Zeelenberg, 2013). Retention reduces the premium, hence the

(26)

cost of insurance for the insured entity, as the entity assumes responsibility for some of the cost of a claim (Burnecki, Nowicka-Zagrajek, Wyłomańska, 2005, p. 427).

Risk-retention in insurance may refer to several different methods of retaining risk;

it is most commonly defined as either a deductible or time retention, i.e., waiting period (Insurance Information Institute, n.d.).

3.1.5 Cyber Risk

While there is not yet a universally accepted definition, Cebula and Young (2014, p.1) defined cyber risk as "operational risks to information and technology assets that have consequences affecting the confidentiality, availability, or integrity of information or information systems". Consequently, stating that "cyber" consists of two elementary components, electronic communication networks, and virtual reality. These two elements are what differentiates cyber risk from other risk domains. Virtual reality relates to the intangible disposition of cyber risk and the following complex nature of assessing the implications. Networks are closely related to the cyberspace and refer to networks which agents connect to, including what is described as offline- and online networks (Eling & Schnell, 2016).

What separates cyber risk from traditional risk is the high-correlation and aggregation of risk due to the interconnectivity between actors, due to the global reach and nature of connectivity as a result of IT-systems (Ogut, Raghunathan, &

Menon, 2011; Böhme & Kataria, 2006). The monoculture of a few widely adapted IT-systems also increase the aggregation of risk. If there is a weakness or breach of one system, this may be abused and affect several other users of the same system.

Monoculture and the high interconnectivity negates the non-correlation of traditional risks such as geographical limitations, which emphasize the complexity of estimating the scope of impact.

Cyber risk is composed of different threats; Cisco summarizes these. Among these are malware attacks, which is malicious software, including spyware, ransomware, viruses, and worms. Malware breaches the network through a vulnerability.

Phishing attacks can be explained as sending fraudulent communication and making it appear like a legitimate source of communication. The goal of a phishing attack is to steal sensitive data and/or install malware on the victim's machine. A

(27)

Denial-of-service attack (DoS) is when the attacker floods the systems, servers, or networks, thus exhausting the resources and bandwidth. (Cisco, n.d.)

3.2 Properties of Cyber Insurance

Compared to the development of more traditional insurance, the complex conditions of cyber risk complicate the development of cyber insurance. The impact and the likelihood of an incident are especially heavily influenced by the unique properties of cyber risk, thus skewing the estimates and development of cyber insurance.

3.2.1 Impact

There is a lack of limits due to the properties of cyber risk; this further complicates how insurers estimate the impact. Due to the monoculture of IT-systems and the aggregation of risk, the correlation between incidents may be higher than for insurance in general. The cyber incident may result in indirect consequences and a cascading effect on tangibles and intangibles (Frumento & Dambra, 2019, p. 58).

Frumento and Dambra (2019) further elaborate on how cyber incidents may have comprehensive consequences for intangibles. This further complicates the effort to estimate the impact due to the nature of intangibles and the difficulty with quantification of intangibles such as reputation and intellectual property and related

"damage" (Toregas & Zahn, 2014). Therefore, Toregas & Zahn (2014) conclude that it is difficult to estimate the accuracy of how extensive and significant an incident could be.

3.2.2 Probability

It is challenging to estimate the probability of a cyber incident occurring. This is due to the challenging aspect of estimating the impact, the accelerating technological development, lack of data, and information sharing (ENISA et al.

2012; Eling & Schnell, 2016; CISA, 2019). CISA (2019) state that the lack of information sharing inhibits the development of adequate tools and intensifies information asymmetries between the insurer and the insured. Further complicating the estimation of the probability is the sheer number of incidents occurring, Hiscox discovered in their 2019 survey, that 61% of their respondents have experienced a cyber incident (Hiscox, 2019).

(28)

3.2.3 Coverage

Cyber insurance first-party coverage will cover losses incurred directly by the insured. Such costs could be destruction of property, loss of information, financial loss due to cyber extortion, business interruption, and PR-costs. While Third-party coverage, cover costs arising from third party losses. This could be losses due to data compromises, loss of third-party data and private information, defense -and settlement costs, costs related to litigation, fees, and fines (Romanosky, Ablon, Kuehn & Jones, 2019).

The interdependencies of the global and modern digital cyber world highlight the risk of overwriting cyber insurance. Cyber risk concerns related to insurance involves high accumulation of risk due to the high correlation. As was illustrated in the case of the NotPetya attacks, several companies in different industrial sectors spanning different continents were hit simultaneously (Greenberg, 2018). This emphasizes the flaws of writing cyber insurance against cyber risk in different sectors to mitigate the accumulation of risk and offset total losses.

3.2.4 Information Asymmetry

Information asymmetry could be referred to as a situation where an entity does not have access to the same information as another entity. Marotta et al. (2017) describes in their paper that insurance works sub-optimal when there is high information asymmetry between the insurer and insured. This is emphasized as there is a strong presence of information asymmetry due to adverse selection and the Moral Hazard dilemma. Adverse selection, where companies that have experienced a severe cyber incident are more likely to purchase cyber insurance (Shackelford, 2012), and Moral Hazard, meaning that companies may be inclined to invest less in cybersecurity due to the presence of cyber insurance.

3.3 Insurance Market

To understand the evolution of the cyber insurance market, one have to understand how the insurance market develops, writes, and, in some instances, tailor insurances to customers. This process involves several participants, whereon the principal actors of the insurance market can be divided into six separate segments.

(29)

• The demand side, companies pursuing insurance

• Insurance carriers

• Insurance- and reinsurance brokers

• Insurance agents

• Reinsurance companies and syndicates

• Regulatory authorities

Insurance Brokers

Insurance brokers work for the insured entity or would-be insured. This was clearly stated by law and formulated by Lord Justice Hobhouse (Zhang, 2014). As an agent of the insured or would-be insured, this involves advising the entity on different domains. Such domains could be coverage, advising on exposure to risks, and working with insurers during a tender-process (CIAB, n.d). During the acquiring process of insurance, a would-be insured will enter into a contract with an insurance broker. The insurance broker will examine the needs of the would-be insured, present possible insurers and relevant products and assist in the tender process.

Furthermore, insurance brokers may be of assistance during an incident which may require further scrutiny, or if the insurance terms have been triggered and there is a need for negotiations.

Insurance Agents

Opposed to insurance brokers, insurance agents are licensed to conduct business on behalf of insurance carriers. The agents hence represent the insurance carrier in the insurance process and generally operate under the terms of what is called an agency agreement. The insurer-agent relationship can take several forms; independent, exclusive, insurer-employed, or self-employed. An independent agent works on contract with several insurance carriers, whereas an exclusive agent either works with one insurance carrier or sells a single type of policy from several carriers. A self-employed agent is independent of carriers and can sell any insurance product from any carrier. On the other hand, an insurer-employed agent can "only" sell insurance products from the carriers he/she operates with (CIAB, n.d)

(30)

Regulatory Authorities

To understand why the insurance market is regulated, it is necessary to understand the purpose of regulations. In a broader aspect, regulation can be defined as the imposition of rules by the government, which is backed by the use of penalties that are meant to modify the economic behavior of individuals and firms in the private sector (OECD, 2018). OECD (2018) further explains an insurance regulator as any authority that initiates and develops legislation and/or non-legislative regulation (i.e. rulemaking). These legislations and regulations are meant to ensure that the interests of policyholders are protected. The insurance market’s stability and robustness are promoted and inappropriate behavior by insurers, reinsurers, and affiliated service providers is avoided (p.13).

Reinsurance Companies and Syndicates

To provide an economically sustainable policy, an insurance carrier must be able to offer the policy to a wide range of insured entities, to achieve a positive net revenue through the accumulation of premiums. However, when accumulating a large pool of policies, the total risk pool will grow proportionally (Emrich & Czajkowski, 2013). If there is an incident requiring the insurance carrier to indemnified multiple policyholders simultaneous, and the accumulated premiums do not cover the total amount, a reinsurer will then provide financial support to the insurance carrier. This, in practice, is when a reinsurer operates like an insurer for the primary insurance carrier. Reinsurance companies provide an effective risk transfer mechanism for insurance carriers, and allows the carriers to write insurance for large, accumulated, and complex risk (Pohl & Iranya, 2018, p.7). Reinsurance syndicates, a group or pool of insurance carriers and/or reinsurers, provides an enhanced ability to offer coverage for highly risky liability exposures such as cyber risk.

Figure 2 - The Insurance Market

(31)

3.3.1 Insurance Industry

Where the "insurance market" can be used as a terminology which include all the actors within insurance, the "insurance industry" is used for the specialized professional part of the market, i.e., the brokers, agents, insurance carriers and reinsurance companies.

The insurance industry’ product-channel can be divided into two key components, namely the development of policies and the sale and further tailoring of the policies terms and conditions, as illustrated in figure 2. If organizations or companies wish to obtain their own program instead of an operator program, the two main components merge into one integrated process.

The process of developing new insurance products involves the entire insurance industry. The development of a new insurance product starts when there is an inadequacy in the current products to meet the emerging demand. Insurance carriers then estimate whether there is an economic incentive to provide products to the emerging demand. To do this, the insurance carriers cooperate with the insurance brokers to understand their customers' demands. Further on, the insurance carriers collaborate with reinsurance companies to receive access to their experience, leverage their data to estimate the unknown risk, the pricing of premiums, and the establishment of reinsurance pools. For traditional insurance products, insurance- and reinsurance companies have several years of cumulative experience, data, and understanding of cause and effect. Thus, insurance companies have arguably adequate tools and abilities to accurately estimate the risk related to traditional insurance elements and price premiums "correctly". For instance, the industry has an approximation to the probability of a fire in a specific building due to earlier incidents, geographical knowledge, known parameters, and the likelihood of the fire spreading to nearby buildings. Hence, insurance companies are confident in their risk estimates and can adequately calculate a premium proportional to their beliefs of the risk (N. Unhammer, personal communication, February 4, 2020) In the case of cyber insurance, the existing tools and data are not sufficient for the insurance companies to estimate risk and price-related premiums confidently.

There are two ways of calculating premium; actuarial data, and normative standards. For actuarial data the insurance carriers will take a retrospective look at historical data and statistics, while for normative standards, the insurance carriers

(32)

base their calculations on a causal relationship (Toregas & Zahn, 2014, p. 5). While actuarial data is not present for cyber risk (ENISA, Robinson & Rand Europe, 2012), there are some indications of normative standards, but they are not solid enough to be considered viable (Toregas & Zahn, 2014, p. 5). Therefore, Toregas and Zahn conclude that traditional insurance computation and the current estimation tools are not a good fit for the fast-changing, dynamic environment of cyber risk and the underlying information asymmetries of the industry.

The lack of proper fit and adequate modeling methods skews the estimation of risk for the cyber insurance market (Eling & Schnell, 2016). As a result of this, the insurance carriers are more dependent on reinsurers with knowledge in specialty products such as cyber insurance. The unknown parameters and dependency on some few large reinsurers influence the development of cyber insurance products in such a way that the products are more homogenous than what is conventional for traditional insurance products (N. Unhammer, personal communication, February 4, 2020).

Traditionally insurers carriers achieve profits by accurate pricing of insurance policies, where the profit-maximizing scenario is when the aggregated indemnity for a given interval is less than the accumulated premium. For cyber insurance, this relation is not yet been well examined and explained, mainly since little or no prior experience exists. Further complicating the case is the potential extent of cyber risk.

It's substantially more extensive than that of traditional insured risks, as it's not dependent on elements such as traditional limitations and scope. A cyber incident could affect several parts of a global business simultaneous, compared to the "one incident, one segment affected" of traditional risks. Due to the lack of experience and data, both the insurers and the reinsurers are reluctant to take as much risk in a cyber policy, compared to traditional policies. Hence risky policies need several insurers and reinsurers, resulting in need for insurance syndicates (N. Unhammer, personal communication, February 4, 2020). The uncertainty regarding the potential risk facilitates for high premiums, low coverages, and ambiguous inclusions, due to the insurers and reinsurers need to mitigate and rationalize risk (Biener et al., 2015; Eling & Schnell, 2016). The uncertainty, homogenous products, and high premiums create suboptimal product offerings for the insured or would-be insured and a suboptimal market for the insurance- and reinsurance companies.

(33)

3.4 Business Interruption

Business interruption is defined as a period when a business cannot operate due to an unforeseen event (Cambridge Dictionary, n.d.). During a business interruption, an entity can not provide, produce, or offer its goods or service until the interruption is finished. This can be illustrated by a manufacturer suffering a breakdown in the manufacturing machinery. The manufacturer will not be able to produce the planned output, thus enduring a loss of income.

An insurer will, therefore, offer business interruption insurance; this allows the insured to mitigate the consequence a business interruption has on income. Business interruption insurance encompasses coverage for losses directly caused by a loss- occurring event such as a fire, destruction of property, or DoS-attack (Schumann, 2013). The insurer will compensate for the loss of business income sustained under the coverage period, which may be described as the "period of restoration". Often will insurers state a minimum time limit from when the business interruption coverage will start; this is defined as the waiting period.

3.4.1 Waiting Period

A waiting period is a method of risk retention that can be explained as a contractual agreement on the time between the trigger of an insurance event (claim) and the period of restoration. Given that there is contractual agreement upon the waiting period, the insurance carrier will not compensate for any losses during the retention period. As is one of the objectives of retention, is to act as a buffer for the insurance carrier, so the carrier is not involved in minor incidents and claims (Burnecki, Nowicka-Zagrajek, Wyłomańska, 2005, p. 427).

For business interruption coverage for insurance in general, the waiting period is typical between 24-72 hours (Marsh, 2012). While for cyber insurance, the waiting period for business interruption coverage will vary between 8-24 hours, as stated by the policies which have been gathered for this thesis and interviews with industrial professionals. As for most elements in insurance policies, there is possible to negotiate a lower or higher waiting period; this will, however, affect the premium. Hence, the considerations related to the length of the waiting period is, in essence, a premium question.

(34)

3.5 Utility Theory

Utility is defined as the satisfaction which a consumer can obtain from a good or service. Total utility is a theoretical and conceptual term to measure several units of utility a consumer may gain from consuming a given good or service (University of Minnesota Libraries Publishing, 2011). The expected utility can, therefore, be defined as the utility which a consumer is expected to obtain, given a specific alternative occurring. The utility can, thus, be used as an indication of the amount of wealth and utility that different choices may provide. This may simplify a decision-making process, by "reducing a complex situation into a comparison between "real" values" (Goovaerts et al. 2008).

The Von Neumann-Morgenstern utility function is one of the primary methods of analyzing the decision-making process in modern economic theory. We will look at a generic utility function U(W), this is a utility function which provides the utility for an agent (consumer) given a level of wealth. The Von Neumann-Morgenstern utility function takes into consideration two different outcomes. These outcomes may be classified as a good or bad outcome (Neumann & Morgenstern, 1944).

Attributes of the function are also dependent on the attitudes of the agent. The agent can either be risk-averse, risk-neutral, or risk-seeking.

A risk-averse agent will prefer alternatives with less risk. The risk-neutral agent will be indifferent to the alternatives and not have preferences. In contrast, a risk- seeking agent will choose the alternatives which contribute to the highest return, indifferent to the risks involved.

For insurance to be applicable, the agent must be risk-averse and therefore prefer the choice which provides less risk. Mathematically derived, this requires that the first derivate has to be increasing, which means that inequality is 𝑈′(𝑊) > 0. This implies that the agent prefers a higher level of wealth. The second derivative is required to be 𝑈′′(𝑊) < 0; this indicates that the utility function is concave for a risk-averse agent. Concave utility function suggests that the marginal utility is decreasing for each new level of wealth.

(35)

Expected utility without insurance

Assuming that an agent is exposed to a loss 𝐿^𝑒 where the impact will have a 𝑃 probability. For a probability of 1 − 𝑃, the loss 𝐿^𝑒will be zero (0), indicating that there is no impact. Thus, an agent without insurance will for wealth ex ante an incident 𝑊₁= 𝑊₀− 𝐿^𝑒. Following is the expected utility when there is no insurance:

𝐸[𝑈(𝑊₁)] = 𝑝 × 𝑈(𝑊₀− 𝐿^𝑒) + (1 − 𝑝) ∗ 𝑈(𝑊₀) (1)

Considering Jensen's Equality which states that for a random variable, in this case, 𝐿^𝑒 and a concave utility function, that

𝐸[𝑈(𝑊₁)] ≤ 𝑈(𝐸[𝑊₁]) = 𝑈(𝑊₀) − 𝐸[𝐿^𝑒] (2)

Entities with a similar utility function will prefer to pay a fixed amount 𝐸[𝐿^𝑒], instead of the random variable and volatile 𝐿^𝑒, indicating that they are risk-averse (Goovaerts et al., 2008).

Expected utility with insurance

Assuming that an agent is exposed to a loss 𝐿^𝑒, where the loss will have a 𝑃 probability. For a probability of 1 − 𝑃, the loss 𝐿^𝑒 will be zero (0), indicating that there is no impact. If an agent buys insurance, the agent is being charged a premium, Premium 𝛾 for coverage 𝑆. An insurance contract can, therefore, be rephrased as (𝛾, 𝑆). Culminating in the following wealth ex ante for 𝑃, 𝑊₁ = 𝑊₀− 𝐿^𝑒− 𝛾 + 𝑆, and wealth ex ante for 1 − 𝑃, 𝑊₁ = 𝑊₀− 𝛾.

If we assume that the insured obtains full cover in case of a loss event 𝑆 = 𝑓(𝐿^𝑒) = 𝐿, while paying the premium 𝛾. Hence the insurer will have an expected utility of:

𝐸[𝑈(𝑊₁)] = 𝑈(𝑊₀) − 𝛾 (3)

While the pure premium 𝛾 is assumed to be actuarially fair when the price of an insurance contract (𝛾) equals the expected loss (𝐿) illustrated by the following relation (Autor, MIT & NBER, 2016):